ramnit | a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe
Size

101KB
MD5

eb27e26aab741f30ad324ebf176325e4
SHA1

9394410fe2ccc392a5d5d5afe0cf6fa36d0b6b1d
SHA256

a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3
SHA512

eb984df01e8d84f0295521350bed8d354f2cb9a3a7efccf26d40cdf199d61e64dfceba34c9b9e70bf1b302422c331e51f86105811119b4559a1a06d0ed1a53db
SSDEEP

3072:9gIpT1t2YXm8XdstQculie6qbcU5jwaaHw7Koj4r:aIx1dX3XCt2bB

Score

10^/10

ramnit banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
3920	rjqymcipqfpmhkie.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2236	4484	WerFault.exe	80
1264	3504	WerFault.exe	87

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999690"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999690"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999690"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{86F2CFB0-707D-11ED-AECB-EE6CABA3804C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1538090049"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376556973"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1572777643"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1538090049"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999690"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1730591202"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5100	IEXPLORE.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
644	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe
Token: SeDebugPrivilege	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe
Token: SeSecurityPrivilege	3920	rjqymcipqfpmhkie.exe
Token: SeLoadDriverPrivilege	3920	rjqymcipqfpmhkie.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
4180	IEXPLORE.EXE
4180	IEXPLORE.EXE
4180	IEXPLORE.EXE
4180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4484	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	80
PID 3312 wrote to memory of 4944	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	84
PID 3312 wrote to memory of 4944	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	84
PID 3312 wrote to memory of 4944	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	84
PID 4944 wrote to memory of 5100	4944	iexplore.exe	85
PID 4944 wrote to memory of 5100	4944	iexplore.exe	85
PID 5100 wrote to memory of 1608	5100	IEXPLORE.EXE	86
PID 5100 wrote to memory of 1608	5100	IEXPLORE.EXE	86
PID 5100 wrote to memory of 1608	5100	IEXPLORE.EXE	86
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 3504	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	87
PID 3312 wrote to memory of 1632	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	92
PID 3312 wrote to memory of 1632	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	92
PID 3312 wrote to memory of 1632	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	92
PID 1632 wrote to memory of 2160	1632	iexplore.exe	93
PID 1632 wrote to memory of 2160	1632	iexplore.exe	93
PID 5100 wrote to memory of 4180	5100	IEXPLORE.EXE	94
PID 5100 wrote to memory of 4180	5100	IEXPLORE.EXE	94
PID 5100 wrote to memory of 4180	5100	IEXPLORE.EXE	94
PID 3312 wrote to memory of 3920	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	101
PID 3312 wrote to memory of 3920	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	101
PID 3312 wrote to memory of 3920	3312	a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe	101

C:\Users\Admin\AppData\Local\Temp\a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe
"C:\Users\Admin\AppData\Local\Temp\a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 204
    3⤵
    - Program crash
    PID:2236
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5100 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5100 CREDAT:82950 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4180
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 204
    3⤵
    - Program crash
    PID:1264
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\rjqymcipqfpmhkie.exe
  "C:\Users\Admin\AppData\Local\Temp\rjqymcipqfpmhkie.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4484 -ip 4484
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3504 -ip 3504
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
bd4f3cb3175ff83bbc2c827705950a60

SHA1
9d940539de8317a8a6444559d9fc9f190dd9f80b

SHA256
ff821119d7d2bf9d795503ed63996c81611b84cdcdacac943da9a9ae2d0d2384

SHA512
02b99cb5a7e2cf6004fd010c5718f85830aca7b6f43b5ed929d2df8ca4209a29cfd9e54280a35392b2617ab58e578c097834ce24e9baa8b226c6181c64c0d377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
1fc0cda4af1ba8835071ea0d07ab6dd6

SHA1
c48b584a262c4fbd97e81757fa7e188d05ea4d44

SHA256
5afae06546bc9f2f9a4a51b0c39a283658defaad991864e80327a798d42ddee9

SHA512
397d36c82ed1c8b0c82b575085a4e89febe938751093ccb96d0d83ba3c79cf6b844f2e86793055a339670753755c19e53af571b964d36dee64d37ca05e05f97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjqymcipqfpmhkie.exe

Filesize
101KB

MD5
eb27e26aab741f30ad324ebf176325e4

SHA1
9394410fe2ccc392a5d5d5afe0cf6fa36d0b6b1d

SHA256
a1a4b638fa64136abf641c807a9c3fa1f639a1be4823d3c5cd95092766405ac3

SHA512
eb984df01e8d84f0295521350bed8d354f2cb9a3a7efccf26d40cdf199d61e64dfceba34c9b9e70bf1b302422c331e51f86105811119b4559a1a06d0ed1a53db

Download Submit
memory/3312-132-0x0000000000400000-0x000000000043A200-memory.dmp

Filesize
232KB

Download
memory/3312-133-0x0000000000400000-0x000000000043A200-memory.dmp

Filesize
232KB

Download
memory/3312-136-0x0000000000400000-0x000000000043A200-memory.dmp

Filesize
232KB

Download
memory/3312-143-0x0000000000400000-0x000000000043A200-memory.dmp

Filesize
232KB

Download
memory/3504-138-0x0000000000000000-mapping.dmp

Download
memory/3920-141-0x0000000000000000-mapping.dmp

Download
memory/3920-144-0x0000000000400000-0x000000000043A200-memory.dmp

Filesize
232KB

Download
memory/4484-135-0x0000000000000000-mapping.dmp

Download